Migrated Psono Docker -> Vaultwarden Nix

nixos/roles/matrix.nix

@@ -10,6 +10,14 @@ in
     8080
   ];
 
+  sops.secrets = {
+    matrix_macaroon_secret = { };
+    matrix_registration_secret = {
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+    };
+  };
+
   services = {
     matrix-synapse = {
       enable = true;

nixos/roles/monitoring.nix

@@ -5,6 +5,11 @@ let
   );
 in
 {
+  sops.secrets.grafana_secret_key = {
+    owner = "grafana";
+    group = "grafana";
+  };
+
   services = {
     grafana = {
       enable = true;

nixos/roles/vaultwarden.nix

@@ -1,26 +1,37 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 let
   address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
-  ip = builtins.head (builtins.splitVersion address); # strips the /24
+  ip = builtins.elemAt (lib.splitString "/" address) 0;
   port = 8222;
 in
 {
   services.vaultwarden = {
     enable = true;
-    environmentFile = config.sops.templates.vaultwarden_env.path;
-    backupDir = "/var/lib/vaultwarden/backup";
+    environmentFile = config.sops.secrets.vaultwarden_admin_token.path;
+    backupDir = "/var/local/vaultwarden/backup";
 
     config = {
       DOMAIN = "http://${ip}:${toString port}";
       ROCKET_ADDRESS = "0.0.0.0";
       ROCKET_PORT = port;
       ROCKET_LOG = "critical";
-      SIGNUPS_ALLOWED = false;
+      SIGNUPS_ALLOWED = true;
       WEBSOCKET_ENABLED = true;
+      ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
     };
   };
 
+  sops.secrets.vaultwarden_admin_token = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+  };
+
   networking.firewall.allowedTCPPorts = [ port ];
 
   systemd.services.vaultwarden-backup-rotate = {
@@ -38,4 +49,24 @@ in
       Persistent = true;
     };
   };
+
+  # TODO: Remove for proper TLS Setup
+  systemd.services.vaultwarden-gen-cert = {
+    description = "Generate self-signed cert for Vaultwarden";
+    before = [ "vaultwarden.service" ];
+    wantedBy = [ "vaultwarden.service" ];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      mkdir -p /var/lib/vaultwarden/ssl
+      if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
+          -keyout /var/lib/vaultwarden/ssl/key.pem \
+          -out /var/lib/vaultwarden/ssl/cert.pem \
+          -days 3650 \
+          -subj "/CN=${ip}" \
+          -addext "subjectAltName=IP:${ip}"
+        chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
+      fi
+    '';
+  };
 }

nixos/sops.nix

@@ -1,30 +1,8 @@
-{ primaryUser, config, ... }:
+{ primaryUser, ... }:
 {
   sops = {
     defaultSopsFile = ../secrets/secrets.yaml;
     defaultSopsFormat = "yaml";
     age.keyFile = "/home/${primaryUser}/.config/nix/secrets/keys.txt";
-    secrets = {
-      grafana_secret_key = {
-        owner = "grafana";
-        group = "grafana";
-      };
-      matrix_macaroon_secret = { };
-      matrix_registration_secret = {
-        owner = "matrix-synapse";
-        group = "matrix-synapse";
-      };
-      vaultwarden_admin_token = {
-        owner = "vaultwarden";
-        group = "vaultwarden";
-      };
-    };
-    templates.vaultwarden_env = {
-      content = ''
-        ADMIN_TOKEN=${config.sops.placeholder.vaultwarden_admin_token}
-      '';
-      owner = "vaultwarden";
-      group = "vaultwarden";
-    };
   };
 }